The present disclosure relates to the information technology field. More specifically, this disclosure relates to the identification of software components in computing systems.
The background of the present disclosure is hereinafter introduced with the discussion of techniques relating to its context. However, even when this discussion refers to documents, acts, artifacts and the like, it does not suggest or represent that the discussed techniques are part of the prior art or are common general knowledge in the field relevant to the present disclosure.
The identification of software components in computing systems, or simply computers, is a commonplace activity in several applications.
A typical example is the identification of malwares that might perform malicious operations on the computers (for example, viruses, warms, trojan horses). This is important for ensuring security of the computers, especially when they are routinely used to access external networks (like the Internet).
For this purpose, anti-malwares (such as anti-viruses) are commonly used to protect the computers from malwares; the anti-malwares are aimed at preventing the installation of malwares, detecting activities performed by them and removing their threads. Particularly, the anti-malware of each computer may provide real-time protection by monitoring the computer for suspicious activities relating to loading of software components therein, including their deployment, opening or execution; whenever the anti-malware detects these activities, it neutralizes the corresponding malwares, for example, by preventing their installation, deleting them or moving them to a quarantine area (wherein the malwares are no longer capable of damaging the computer). In this case, the anti-malware operates at a kernel level of an operating system of the computer (with a permission of a corresponding user) to implement the required functionalities. Moreover, the anti-malware may be used to scan (for example, periodically) the computer to detect and neutralize as above any malwares that are found.
Generally, the anti-malwares identify the malwares according to corresponding signatures defined by their (cryptographic) hash values, or simply hashes. Particularly, each anti-malware has a signature database (being continually updated for new malwares) that stores the hashes of all the known malwares. During the real-time monitoring or the periodic scanning of the corresponding computer, the anti-malware calculates the hash of each software component currently under analysis; the software component is identified as a malware whenever a match of its hash is found in the signature database.
However, the calculation of the hashes of the software components is relatively complex from a computation point of view. Therefore, the verification of the software components involves an overhead of the computers that may adversely affect their performance, especially when the verification is performed in real-time.
Moreover, several organizations (such as private or public companies) have policies that prevent the use of (unauthorized) software programs on their computers; typically, these unauthorized software programs are unrelated to an activity of the organization (such as games, social networks) or do not comply with applicable license conditions (such as for private use only). For this purpose, a management agent running on each computer monitors any software program that is deployed thereon (for example, downloaded from the Internet). The monitoring agent verifies the software program against a blacklist (or block list) of the unauthorized software programs; whenever a match of the software program is found in the blacklist, the monitoring agent denies its installation on the computer. For this purpose, the monitoring agent uses corresponding signatures of the (unauthorized) software programs to identify them, for example, defined by their names and sizes. However, the identification of the software components by their names/sizes is relatively weak; this adversely affects the accuracy of the monitoring agent.
US-A-2009/0044024 discloses a technique for detecting, analyzing and quarantining unwanted files in a network environment, wherein a host agent residing on a computing device in the network environment detects a new file introduced to the computing device and sends the new file to a network service for analysis; corresponding file usage information collected by the host agent may be filtered out for unimportant events (for example, by collecting information about the launching of applications only so that events about access to non-applications are not sent to the network service).